b'Before the Committee on Government Reform\nU.S. House of Representatives\n\nFor Release on Delivery\nexpected at               Department of Transportation\xe2\x80\x99s\n10:00 a.m. EST\nThursday                  Implementation of the\nApril 7, 2005\nCC-2005-025               Federal Information Security\n                          Management Act\n\n\n\n\n                          Statement of Theodore Alves\n                          Assistant Inspector General for Financial\n                              And Information Technology Audits\n                          U.S. Department of Transportation\n\n\n\n\n____________________________________________________________________\n\x0cMr. Chairman, Ranking Member Waxman, and Members of the Committee:\n\nThank you for the opportunity to testify today on progress and challenges the\nDepartment of Transportation (DOT) faces in implementing the Federal\nInformation Security Management Act (FISMA). This Committee has been a\ndriving force behind the improvements the Federal Government has made in\nprotecting important information and information systems over the last several\nyears. These improvements are essential to prevent the severe disruptions that can\nresult from attacks by hackers or by others who are intent on harming the United\nStates and its citizens. I also want to take this opportunity to compliment the\nOffice of Management and Budget (OMB), the National Institute for Standards\nand Technology (NIST) and the Government Accountability Office (GAO) for the\nleadership roles they have played in this effort.\n\nThe Department of Transportation\xe2\x80\x99s 12 component agencies are responsible for\none of the largest information technology (IT) investment portfolios among\ncivilian agencies. An annual budget of about $2.7 billion supports over 480\ninformation systems that are critical to carrying out the Department\xe2\x80\x99s mission of\nensuring fast, safe, efficient, accessible, and convenient transportation. For\nexample, the National Highway Traffic Safety Administration maintains a safety\ndefects information system that receives manufacturer early warning reporting\ninformation to track and manage automobile defect and recall data. The Federal\nHighway and Federal Transit Administrations maintain systems that process over\n$35 billion in grants awarded to states and local governments.\n\nThe Federal Aviation Administration (FAA) operates about 100 systems to\nprovide safe and efficient air traffic control services. Recognizing the critical role\nthe air traffic control system plays in the nation\xe2\x80\x99s economic health and the\nmobility of our citizens, the President determined that the air traffic control system\nis a critical national infrastructure that must be protected from attack and must be\nable to reconstitute its operations rapidly in the event of an attack.\n\nThe results of fiscal year (FY) 2004 FISMA reports provided by Federal agencies\nand the Offices of the Inspectors General (OIG) show that a number of agencies\nhave made significant progress meeting the goals set out by this Committee and\nOMB. DOT is one of the agencies that made significant progress last year and\nshould be proud of the progress it has made. It is also important to recognize that\nFederal agencies, including DOT, are in the early stages of protecting their\ninformation and information systems and that continued attention must be paid to\nstrengthening security to protect against evolving threats. Understanding the\nactions DOT has taken to improve its security posture may help the Committee to\nidentify actions needed at other departments that have made less progress.\n\n\n\n                                          1\n\x0cYou asked us to address DOT\xe2\x80\x99s progress in strengthening information security\npractices and the challenges it still faces, whether the Inspector General (IG)\ncommunity needs an auditing framework to guide computer security audits, and\nthe approach we take to audit computer security issues in DOT. Today I will\ndiscuss each of those issues.\n\nDOT Made Significant Progress Improving Information\nSecurity\nDOT made significant progress over the last 2 years protecting its information and\ninformation systems, but still faces challenges to secure its systems. To a large\nextent, DOT\xe2\x80\x99s progress can be directly attributed to the support and commitment\nof Secretary Mineta.\n\nThis progress was accomplished against a backdrop of increased attention to this\nimportant issue. In addition to the annual FISMA audit, DOT\xe2\x80\x99s efforts to enhance\nits information security program are closely monitored by OMB as part of the\nPresident\xe2\x80\x99s Management Agenda. The President also issued several directives\nrequiring agencies to protect the Nation\xe2\x80\x99s critical infrastructure.\n\nThe commitment to improve information security begins at the top, and we\nattribute much of the improvement DOT has made in this area to support from\nSecretary Mineta. In early 2003, the Secretary appointed a Chief Information\nOfficer (CIO) and significantly strengthened his role and responsibilities. Since\nthen, the CIO has played a much more prominent role in managing IT issues,\nincluding ensuring that the Department adopted disciplined processes to enhance\nits information security program in all DOT component agencies.\n\nThe following summarizes major improvements made by the Department.\n\n\xe2\x80\xa2 Increased focus on security in IT investment decisions. DOT is currently\n  consolidating its Headquarters IT infrastructure by combining the services\n  currently provided by 11 component agencies into a single infrastructure. In\n  addition to reducing costs and improving operations, reducing the number of\n  system access points and the number of potential vulnerabilities should\n  significantly improve security.\n\n\xe2\x80\xa2 Strengthened DOT\xe2\x80\x99s ability to protect networks from internal and\n  external attacks. In 2003, DOT established a Department-wide security\n  incident response center. This center, which operates 24 hours a day, prevents,\n  detects, and analyzes hundreds of potential intrusions from the Internet.\n  During FY 2004, DOT expanded its vulnerability checks to cover not only its\n  public web sites but also computers on internal networks. DOT\xe2\x80\x99s recent\n\n\n                                        2\n\x0c   progress contrasts sharply with its prior efforts to protect its systems. In 1997,\n   we reported that the Department lacked firewalls to prevent outsiders from\n   accessing sensitive internal systems from the Internet. In 2000, we reported\n   that the Department had installed firewall security; however, it was not\n   properly managed. As a result, our staff was able to penetrate the firewall and\n   gained unauthorized access to 250 DOT computers from the Internet. Today,\n   DOT not only has strengthened security over the Internet entry points (the\n   \xe2\x80\x9cfront door\xe2\x80\x9d) but also other network connection points (the \xe2\x80\x9cback door\xe2\x80\x9d) to\n   DOT systems.\n\n\xe2\x80\xa2 Increasing the number of systems certified and accredited from 33 percent\n  to over 90 percent. System security certifications are a critical and effective\n  way to provide confidence that systems are secured commensurate with their\n  individual operational risks. DOT trailed behind the Government average by\n  having only 10, 12, and 33 percent of its systems completing such reviews\n  during FYs 2001, 2002, and 2003, respectively. During FY 2004, DOT made a\n  concerted effort to increase the number of system security certification reviews\n  by dedicating resources to do the reviews and closely monitoring progress.\n\n\xe2\x80\xa2 Strengthened background checks. DOT improved its security practices by\n  performing background checks on contractor personnel hired to perform\n  sensitive work such as administering DOT networks. We previously reported a\n  widespread lack of background checks on contractor personnel. This was a\n  major concern to DOT due to the large number of contractor personnel,\n  estimated to be around 18,000. In recent years, the Department established\n  better mechanisms to track contractor personnel movement and ensured that\n  the background checks were performed regardless of the contract length.\n\nDOT Faces Challenges Improving Information Security\nNotwithstanding recent progress, DOT still faces many challenges to secure its\ncomputer systems. This will require continued senior management attention to\nimplement more disciplined risk-based computer security processes. Our FY 2004\nFISMA report cautioned that DOT, and FAA in particular, needed to follow\nthrough aggressively in implementing corrective actions to prevent the security\nprogram from deteriorating into a significant deficiency in FY 2005. The\nfollowing summarizes key challenges facing the Department.\n\n\xe2\x80\xa2 Air traffic control system security must be enhanced. We have reported\n  several significant security deficiencies affecting air traffic control en route\n  computer systems, which are used to support high-altitude traffic. Because of\n  the sensitive nature of these deficiencies, we can only discuss two of the issues\n  at this public hearing. First, although FAA had certified that the en route\n\n\n                                         3\n\x0c   systems were adequately secured, the reviews were limited to developmental\n   systems located at FAA\xe2\x80\x99s Technical Center computer laboratory. Operational\n   systems deployed to the 20 en route centers also need to be reviewed because\n   they are not mirror images of the developmental systems. Second, FAA has\n   agreed to identify a cost-effective contingency plan to restore essential air\n   service in the event of a prolonged en route center service disruption.\n\n   We recently communicated to the FAA Administrator, the Office of the\n   Secretary, and the CIO our concern that FAA has not made sufficient progress\n   correcting these deficiencies. We are working closely with the departmental\n   and FAA CIOs to ensure continued progress. FAA needs to continue to make\n   progress to prevent the security program from deteriorating into a significant\n   deficiency in FY 2005.\n\n\xe2\x80\xa2 Security certification process needs to be improved. The Department made\n  good progress in completing these reviews during FY 2004. However, our\n  review of the quality of the certification reviews identified various\n  deficiencies, such as inadequate assessments of the risks facing the system;\n  lack of evidence that tests were performed; and in one case, a test item that had\n  been listed as \xe2\x80\x9cpassed\xe2\x80\x9d failed when we re-tested it. We also found that the\n  appropriate senior official did not always make the decision to allow the\n  system to operate. Obtaining system accreditation from the correct authorizing\n  official is critical because this official not only has to accept the system risk\n  (impact) on business operations but also has to have the authority to allocate\n  budget resources to secure the system. The CIO office agreed to continue its\n  efforts to enhance security certification and accreditation reviews.\n\n\xe2\x80\xa2 DOT needs to focus attention on emerging threats from new technologies.\n  Evolving technologies create new vulnerabilities. DOT needs to continually be\n  on guard to understand the emerging risks that come from new products, and\n  new threats as hackers discover new ways to exploit software vulnerabilities.\n  The CIO Office needs to consider emerging threats such as spyware (malicious\n  software used to capture sensitive user information), phishing (emails leading\n  users to compromised websites), or unsecured wireless communications.\n\nFramework for Auditing Information Security Issues\nIn your invitation to us to testify, you asked us to discuss whether a framework for\ninformation security audits is needed. The fact that you raised this question\nsuggests that the current framework does not fully meet oversight requirements.\nThe DOT OIG supports and participates in several efforts to develop better\ncomputer security guidance for agencies and auditors to use, including an effort\ninitiated by the President\xe2\x80\x99s Council on Integrity and Efficiency\xe2\x80\x94a group of\n\n\n                                         4\n\x0cPresidentially appointed IGs\xe2\x80\x94to develop additional guidance for FISMA\nreporting. This group has begun looking at whether more standardization is\nneeded but has not reached a consensus.\n\nThe IG community would benefit from greater clarity and understanding of how\nIG FISMA reports could be better structured to benefit both oversight\norganizations, such as this Committee, and the affected Department. Similarly,\noversight organizations would benefit from understanding the challenges the IG\ncommunity faces in addressing computer security issues in agencies with very\ndifferent systems and missions. Discussions about this issue could help achieve a\nconsensus. A key near-term action would be for the key players\xe2\x80\x94OMB, GAO,\ncongressional staff, and the IG community\xe2\x80\x94to begin discussions of the pros and\ncons of increased standardization. Overall, we believe certain aspects of FISMA\naudits lend themselves to a more structured framework. The IGs also need to have\nthe flexibility to deploy their limited resources in a cost-effective way to address\nthe unique and evolving threats faced by their agencies.\n\nOur Approach To Meet FISMA Requirements\nThe DOT OIG uses a two-pronged approach to meet the FISMA reporting\nrequirements. Every year, we select a subset of systems and do detailed tests to\nanswer the OMB performance measure questions, such as the percentage of\nsystems with contingency plans tested. Throughout the year, we also perform\nvarious computer security audits with a focus on issues critical to DOT\xe2\x80\x99s mission.\nFor example, we are currently conducting reviews of a system used by FAA to\nmaintain air traffic control field equipment, a system used by the National\nHighway Traffic Safety Administration to track problem drivers, and the network\ninfrastructure used by the Federal Railroad Administration to support its safety\ninspection program. Based on all this work, we then make judgments about the\nstrengths and weaknesses of DOT\xe2\x80\x99s information security program when preparing\nour annual FISMA report.\n\nWe primarily rely on our IT audit staff to perform FISMA-related work, with\nlimited contractor help in reviewing financial systems. Our staff consists of\nauditors, IT specialists, and computer scientists. This skill mix allows us to\naddress both IT management and technical issues. In conducting our work, we\nfollow GAO, NIST, and OMB guidance. Although neither FISMA nor OMB\nrequires that our FISMA report meet Government auditing standards, we prefer to\ndo so. 1 We believe that reports based on Government auditing standards provide\nusers with more assurance that the underlying work can be relied on for decision-\nmaking purposes.\n\n1   FISMA allows IGs to issue either an audit report or an evaluation report. Audit reports must comply\n    with Government auditing standards established by GAO, while evaluation reports do not.\n\n\n                                                   5\n\x0cMr. Chairman, this concludes my oral testimony.    More details are provided\nbelow. I would be happy to answer any questions.\n\n\n\n\n                                     6\n\x0cPROGRESS DOT HAS MADE AND CHALLENGES IT\nFACES TO IMPROVE INFORMATION SECURITY\nThe Department has significantly improved its information security program over\nthe last 2 years, and those improvements account for the significant strides DOT\nmade in FY 2004. This progress is the result of strong commitment and support\nfrom Secretary Mineta who, in early 2003, significantly strengthened the CIO\xe2\x80\x99s\nrole and responsibilities. Before FY 2003, the CIO did not play a central role in\nensuring that IT systems were secured against attack. Since then, the CIO\xe2\x80\x99s role in\nDepartment-wide IT issues, including computer security, has become much more\nprominent. The CIO, with support from the Secretary and other senior leaders, has\nmade good progress ensuring that component agencies take the steps needed to\nensure their systems are secure. For example, the CIO Office now performs\noversight of the quality of component agency IT system security reviews. That\noversight provides added assurance that systems have been adequately secured.\n\nThe attributes of effective Information Resources Management and computer\nsecurity programs begin with a commitment and support at the top of the\norganization. The commitment requires the appointment of a strong CIO with the\nauthority and resources to set direction, provide the correct mix of skills to do the\njob, establish policies and guidelines, and ensure that subordinate organizations\nimplement disciplined practices. When we began focusing resources on computer\nsecurity issues back in the late 1990s, DOT did not have those attributes. In fact,\nwe found an almost total lack of attention to protecting critical systems and\ninformation. To illustrate, in April 1997, we reported that the Department\xe2\x80\x99s\ncomputer systems lacked firewalls to prevent outsiders from accessing sensitive\ninternal systems and information directly from public pages on the Internet. Over\nthe next several years, we identified additional weaknesses, including unprotected\ntelephone connections to DOT computer systems, a lack of background\ninvestigations for staff performing sensitive functions, and the lack of an effective\nprocess to certify systems as secure.\n\nWhile DOT officials worked for several years to address these problems, their\nefforts were hampered initially by the lack of a strong CIO with the authority and\nresources to implement disciplined processes or to require the various component\nagencies to take computer security issues seriously. As a result, in FY 2000, we\nwere still able to gain unauthorized access to 250 DOT computers through the\nInternet.\n\nIn November 2002, the Inspector General testified that the Department lacked\nthose attributes. He pointed out that DOT had a long way to go to secure its\ncomputer systems and in fact had operated for the prior 1\xc2\xbd years without a CIO.\n\n\n                                         7\n\x0cHe specifically recommended that the Department promptly appoint a CIO with\nthe authority to provide Department-wide leadership and enforce compliance with\nsecurity guidance. The Inspector General\xe2\x80\x99s testimony also occurred against the\nbackdrop of the President\xe2\x80\x99s effort to focus attention on computer security issues\nthrough the President\xe2\x80\x99s Management Agenda and to better protect critical national\ninfrastructures through Presidential Decision Directives. The Department took the\nfollowing actions:\n\n\xe2\x80\xa2 Secretary Mineta appointed a CIO in March 2003 and ensured that the CIO had\n  the authority to implement disciplined information resource management and\n  computer security practices;\n\n\xe2\x80\xa2 Within months, the CIO provided strong leadership by invigorating the\n  Investment Review Board, which reviews IT investments to determine whether\n  they should be modified, terminated, or allowed to continue. The Investment\n  Review Board is headed by the Deputy Secretary with support provided by the\n  CIO Office.\n\n\xe2\x80\xa2 The CIO has secured a commitment from component agencies to implement\n  the Department\xe2\x80\x99s information security program. This effort is being carried\n  out with the help of over 400 trained information security personnel. The CIO\n  and component agencies also supplement these staff with contractor resources\n  to address key technical issues.\n\n\xe2\x80\xa2 The CIO has made good progress implementing disciplined processes to\n  enhance the information security program. For example, DOT has established\n  a risk-based approach to perform system security reviews and to test system\n  security. DOT also provides specialized training to security specialists.\n\n\xe2\x80\xa2 The CIO Office also took on more operational responsibilities, including\n  establishing a full-time unit to monitor activity on all DOT networks. This has\n  significantly strengthened DOT\xe2\x80\x99s ability to detect and report attempted\n  intrusions into DOT networks.\n\nThe CIO\xe2\x80\x99s broader responsibilities led to increased funding needs to support the\nmore disciplined processes and more intensive reviews, as well as the new\noperational responsibilities. However, the CIO Office needs to provide better\njustification for its IT budget requests. Because of the high level of generality and\nvagueness in the budget justification, Congress reduced the CIO Office\xe2\x80\x99s FY 2004\nbudget by $15.9 million, from $23.4 million to $7.5 million. Our review\nconfirmed that the CIO\xe2\x80\x99s budget request and supporting documentation lacked the\ndetails oversight organizations, including OMB and Congress, needed to\nunderstand how the funds would be used.\n\n\n                                         8\n\x0cThe CIO Office subsequently had to submit to both the House and Senate\nCommittees on Appropriations a reprogramming request of about $2.5 million to\ncover costs associated with computer security activities, including funding to\nsupport its certification and accreditation reviews. The Committees approved the\nreprogramming, and the CIO Office agreed to provide more complete information\nin future budget requests, so that decision-makers can make informed decisions\nabout the appropriate level of funding.\n\nThe CIO also needs to improve how security-related budget requests are\ncoordinated between the CIO Office and component agencies. For example, in its\nFY 2005 budget, the CIO Office requested $2 million to install advanced\nvulnerability remediation and patch management software to protect the\nDepartment\xe2\x80\x99s IT infrastructure. About 90 percent of the installation would have\nbeen on FAA network computers. However, FAA had also set aside funds to\nacquire a similar solution, and the two requests had not been adequately\ncoordinated.\n\nDOT\xe2\x80\x99s Progress Improving Information Security\nThe changes instituted by Secretary Mineta led to significant improvements in\nDOT\xe2\x80\x99s ability to secure its information and information systems over the last 2\nyears and especially in FY 2004. Some of the most noteworthy progress DOT has\nmade in information security includes:\n\n\xe2\x80\xa2 Increased focus on security in IT investment decisions. The departmental\n  Investment Review Board expanded its review of component agency\n  investment projects to ensure that investment plans adequately addressed\n  security issues. The CIO also directed component agencies to evaluate\n  opportunities to consolidate common administrative and business systems. For\n  example, DOT is currently consolidating its Headquarters IT infrastructure by\n  combining the services currently provided by 11 component agencies into a\n  single infrastructure. In addition to being an important initiative to reduce\n  costs and improve operations, it should also significantly improve security by\n  reducing the number of system access points and therefore, the number of\n  potential vulnerabilities.\n\n\xe2\x80\xa2 Strengthened ability to protect networks from internal and external\n  attacks. DOT has made significant progress protecting its systems from\n  internal and external attacks. This serious problem persisted for several years.\n  In 2003, DOT established a Department-wide security incident response\n  center. In cooperation with a similar center operated by FAA, this center\n  operates 24 hours a day to prevent, detect, and analyze hundreds of potential\n  intrusions from the Internet. During FY 2004, DOT expanded its vulnerability\n\n                                        9\n\x0c   checks to cover not only its public web sites but also computers on internal\n   networks in all component agencies. The CIO Office also issued guidelines for\n   configuring computers in a secure manner to prevent vulnerabilities.\n\n\xe2\x80\xa2 Increased the number of systems certified and accredited from 33 percent\n  to over 90 percent. System security certifications are a critical and effective\n  way to provide confidence that systems are secured commensurate with their\n  individual operational risks. This action provides additional assurance that\n  DOT program operations that depend on computer systems support can\n  maintain the integrity, confidentiality, and availability of the information they\n  rely on to carry out their missions.\n\n\xe2\x80\xa2 Strengthened background checks. DOT also made significant progress\n  ensuring that background checks are performed on contractor staff performing\n  sensitive services. Previously, we found that DOT did not require all\n  contractors to undergo background checks and even when the checks were\n  required, many were never performed. DOT improved its security practices by\n  requiring background checks for all contractor personnel performing sensitive\n  activities, regardless of the contract length. Previously, background checks\n  were not performed if the contract term was for less than 6 months.\n\nChallenges to Sustain This Progress\nNotwithstanding recent progress, DOT still faces many challenges to secure its\ncomputer systems. This will require continued senior management attention to\nimplement more disciplined risk-based computer security practices. This is key to\nensuring that critical information and systems are secure, especially the air traffic\ncontrol system. For example:\n\n\xe2\x80\xa2 Air traffic control system security must be enhanced. During FYs 2003 and\n  2004, we reported several significant security deficiencies associated with air\n  traffic control en route computer systems. En route systems control high-\n  altitude traffic. Because of the sensitive nature of these deficiencies, we can\n  only discuss two of the issues at this public hearing. We have previously\n  discussed all of the issues with this Committee\xe2\x80\x99s staff.\n\n   First, although FAA certified that the en route systems were adequately\n   secured, the reviews were limited to developmental systems located at FAA\xe2\x80\x99s\n   Technical Center computer laboratory. Operational systems deployed to en\n   route centers also need to be reviewed. FAA has agreed to review operational\n   en route systems by the end of FY 2005 and to review all other air traffic\n   control systems\xe2\x80\x94at approach control and airport terminal facilities\xe2\x80\x94by the\n   end of December 2007.\n\n\n\n                                         10\n\x0c   Second, FAA has agreed to identify a cost-effective contingency to restore\n   essential air service in the event of a prolonged service disruption at an\n   en route center. This is important because the President has designated the air\n   traffic control system to be a critical national infrastructure. Presidential\n   guidance calls for critical infrastructures to have contingency plans in place to\n   restore essential services in a timely manner. FAA will use the results of an\n   alternatives analysis to identify cost-effective alternatives. FAA needs to focus\n   now on the near-term actions it can take to restore partial services in the event\n   of a prolonged disruption.\n\n\xe2\x80\xa2 The security certification process needs to be improved. The security\n  certification review, which is performed by system owners in conjunction with\n  the CIO Office, is a critical and effective security measure to determine\n  whether individual systems are adequately secured commensurate with\n  operational risks. The Department made good progress in completing these\n  reviews during FY 2004. However, the CIO office needs to continue working\n  with component agencies to improve the quality of the reviews. Our review of\n  the quality of the certification reviews for 20 systems identified 1 or more\n  deficiencies in 14 cases. These deficiencies included inadequate assessments\n  of the risks facing the system; lack of evidence that tests were performed; and,\n  in one case, a test item that had been listed as \xe2\x80\x9cpassed\xe2\x80\x9d failed when we re-\n  tested it.\n\n   We also found that the appropriate senior official did not always make the\n   decision to allow the system to operate. One of the most important steps in\n   completing a security certification and accreditation review is the responsible\n   senior official\xe2\x80\x99s (the system user\xe2\x80\x99s) decision whether to accept the remaining\n   security weaknesses and allow (accredit) the system to operate. Obtaining\n   system accreditation from the correct authorizing official is critical because\n   this official not only has to accept the system risk on business operations but\n   also has to have the authority to allocate budget resources to secure the system.\n   In 4 of 20 systems we reviewed, technical managers and not the appropriate\n   senior official accredited the systems for operations. The CIO office agreed to\n   continue its efforts to enhance the process of the security certification and\n   accreditation reviews.\n\n\xe2\x80\xa2 DOT needs to focus attention on emerging threats from new technologies.\n  Evolving technologies create new vulnerabilities. DOT needs to continually be\n  on guard to understand the emerging risks that come from new products and\n  new threats as hackers discover new ways to exploit software vulnerabilities.\n  The CIO Office needs to consider emerging threats associated with\n  technologies, including:\n\n\n\n                                        11\n\x0c       \xc2\xbe Software, called spyware, that allows malicious individuals to covertly\n         capture sensitive information from a user\xe2\x80\x99s system,\n\n       \xc2\xbe Phishing, which is a form of email that directs users to a compromised\n         web site that then solicits personal, financial, or business information.\n\n       \xc2\xbe Wireless technologies, which can increase risks that agency information\n         will be compromised. Wireless technology poses a threat in part\n         because the devices tend to be managed by individuals, who may be less\n         security conscious than system administrators.\n\nOverall Security Program Status\nOur FY 2004 FISMA report concluded that based on the progress the Department\nmade, the overall status of the security program, and FAA\xe2\x80\x99s commitment to take\naggressive action to correct air traffic control deficiencies, DOT\xe2\x80\x99s information\nsecurity program warranted downgrading from a material weakness to a reportable\ncondition. We cautioned, however, that DOT, and FAA in particular, needed to\nfollowed through aggressively in implementing corrective actions to prevent the\nsecurity program from deteriorating into a significant deficiency in FY 2005. We\ncited FAA\xe2\x80\x99s progress reviewing operational systems and implementing en route\ncenter contingency plans as a key factor we will use in making our determination\nof whether DOT\xe2\x80\x99s security program contains significant deficiencies in FY 2005.\n\nNow, 6 months later, we are concerned that FAA has not made sufficient progress\ncorrecting en route air traffic control deficiencies we reported last year, including\nsecurity certification reviews of computer systems at en route centers and\ndevelopment of contingency plans to restore air traffic control services in case of a\nprolonged service disruption at an en route center. We have communicated these\nconcerns in writing to the responsible DOT officials, including the CIO, the Office\nof the Secretary, and the Federal Aviation Administrator. The FAA CIO\nresponded to those concerns, indicating FAA\xe2\x80\x99s continued commitment to pursue\ntimely implementation of corrective actions. We are now engaged in further\ndiscussions with the departmental and the FAA CIOs about the actions needed to\nensure continued progress to address these important issues.\n\nFRAMEWORK FOR AUDITING INFORMATION SECURITY\nThe fact that you raise the question about whether a framework for information\nsecurity audits is needed indicates that the current framework does not fully meet\nyour oversight requirements. The DOT OIG supports and participates in several\nefforts to develop better computer security guidance for agencies and auditors to\n\n\n\n\n                                         12\n\x0cuse, 2 including an effort initiated by the President\xe2\x80\x99s Council on Integrity and\nEfficiency\xe2\x80\x94a group of Presidential appointed IGs\xe2\x80\x94to develop additional\nguidance for auditing security issues and for reporting FISMA results. This group\nhas begun looking at whether more standardization for FISMA reporting is needed\nbut has not reached a consensus.\n\nThe IG community would benefit from greater clarity and understanding of how\nIG FISMA reports could be better structured to benefit both oversight\norganizations, such as this Committee, and the affected Department. Similarly,\noversight organizations would benefit from understanding the challenges the IG\ncommunity faces in addressing computer security issues in agencies with very\ndifferent systems and missions. Discussions about this issue could help achieve a\nconsensus. A key near-term action would be for the key players\xe2\x80\x94OMB, GAO,\ncongressional staff, and the IG community\xe2\x80\x94to begin discussions of the pros and\ncons of increased standardization. Overall, we believe certain aspects of FISMA\naudits lend themselves to a more structured framework. The IGs also need to have\nthe flexibility to deploy their limited resources in a cost-effective way to address\nthe unique and evolving threats faced by their agencies.\n\nSome key issues that the DOT OIG believes need to be considered in this dialogue\nfollow.\n\n    \xe2\x80\xa2 The IG community needs to retain the flexibility to address the unique\n      and evolving threats and vulnerabilities faced by each agency. Both\n      agencies and auditors need the flexibility to focus their resources on the\n      burning issues of the day. We all need to use a risk-based approach to\n      strengthen computer security, and we need to adjust our focus to address\n      evolving risks. For example, DOT maintains a wide variety of systems with\n      very different vulnerabilities and consequences. The consequences from an\n      attack on a system that maintains information about employee training are\n      very different than the consequences of an attack on an air traffic control\n      system. Similarly, because agencies have achieved different levels of\n      maturity in addressing computer security issues, agencies and auditors must\n      focus their limited resources on the most vulnerable security processes faced\n      by the agency. For example, some OIGs are still reporting that their agencies\n      lack a complete inventory of systems or a reliable system to track\n      vulnerabilities and action plans. Those agencies and their auditors need to be\n\n\n2   Our Deputy Assistant Inspector General for Information Technology and Computer Security is also a\n    member of the Information Security and Privacy Advisory Board. The Board is responsible for advising\n    NIST and the OMB Director on information security and privacy issues pertaining to Federal\n    Government information systems. The Board was established by the Computer Security Act of 1987 and\n    reauthorized by FISMA.\n\n\n                                                   13\n\x0c   able to focus their attention on getting those basic processes in place to\n   correct those high-risk deficiencies.\n\n\xe2\x80\xa2 NIST and GAO have provided a common framework for implementing\n  and auditing computer security. NIST recently issued a series of\n  guidelines and standards for agencies to use, as required by FISMA. We find\n  NIST guidance to be very useful because it is generally complete, adequately\n  detailed, and authoritative. DOT applies NIST guidance, and we use it as\n  criteria when we evaluate how effectively DOT\xe2\x80\x99s security program is\n  operating. GAO has also issued guidance for auditing security over\n  individual computer systems, called the Federal Information Systems Control\n  Audit Manual. The entire IG community commonly uses this manual when\n  auditing security over individual systems.\n\n\xe2\x80\xa2 Agencies and auditors also need to ensure that they devote adequate\n  resources to improve all information resources management processes.\n  This is because computer security is an important subset of information\n  resources management. Instituting disciplined management practices is\n  critically important to ensure that agencies receive value for the billions of\n  dollars spent on IT, but it is also critical to ensure adequate security. Efforts\n  to strengthen the CIO and Investment Review Board functions have spill-\n  over effects that lead to improved computer security. For example, a strong\n  investment review process can build computer security into the system, a\n  much more cost-effective approach than identifying and correcting\n  deficiencies after system deployment. Some estimates show it costs 10 times\n  as much to correct problems after deployment.\n\n\xe2\x80\xa2 Financial statement and FISMA audits. You also asked whether financial\n  statement audit guidance provides a model for computer security audits. The\n  American Institute of Certified Public Accountants developed the financial\n  statement audit requirements, which are supplemented by the GAO\xe2\x80\x99s\n  Financial Audit Manual. Financial audit guidance has evolved continuously\n  over the last 100 years, most recently to incorporate the stronger\n  requirements to audit management controls imposed by the Sarbanes-Oxley\n  Act. Most IGs also conduct a wide range of other financially related audits to\n  address financial management issues that are not covered by financial\n  statement audits. Because computer security did not receive a lot of attention\n  until about 20 years ago when Congress passed the Computer Security Act of\n  1987, information security audits are still in their infancy. Certain aspects of\n  information security audits clearly lend themselves to a structured\n  framework, including network vulnerability assessments, system penetration\n  testing, and intrusion detection and incident response capabilities.\n\n\n\n                                       14\n\x0cOUR APPROACH TO MEETING FISMA REQUIREMENTS\nThe DOT OIG approaches the FISMA reporting requirement as a part of our\nefforts to ensure that DOT has effective IRM processes in place. We perform a\nseries of computer security audits during the year focused on the issues we believe\ninvolve the highest risk or the issues that most need management\xe2\x80\x99s attention. The\nresults of those efforts are then included in our annual FISMA report.\n\nThroughout the year, we focus a significant amount of our IT resources on\ninformation security issues. Our IT audit staff consists of auditors, IT specialists,\nand computer scientists. This mix of IT management and technical skills allows\nus to address both the management processes and the detailed technical issues the\nDepartment faces as it strengthens its computer security capabilities. For example,\nwe use our computer scientists to do very technical reviews, including penetration\ntesting or identification of system design or software flaws. We use our IT\nauditors to analyze the quality of management processes, like the certification and\naccreditation process, and to make constructive recommendations to strengthen\nprocesses. As we stated earlier, disciplined processes are essential to an effective\ncomputer security program. We also hire contractors to help us audit computer\ncontrols related to financial systems.\n\nTo be ready to meet the annual FISMA reporting requirement, we monitor the\nCIO\xe2\x80\x99s efforts to comply with OMB reporting requirements throughout the year.\nAfter OMB issues its guidance specifying which performance measures it wants\ntracked, we select a subset of systems and do detailed tests of the source data to\nanswer the OMB performance measure questions. Our FISMA report also draws\non all other audit work we have done during the year to make judgments about the\nstrengths and weaknesses of DOT\xe2\x80\x99s computer security efforts.\n\nFor example, we recently initiated two computer security audits. We are\nreviewing the National Highway Traffic Safety Administration\xe2\x80\x99s National Driver\nRegistry system. The system is a central repository of information about\nindividuals who have had their driver\xe2\x80\x99s license suspended or revoked. The\ninformation that resides on the system, such as social security numbers, is subject\nto Privacy Act protection. Unauthorized disclosure of this information could lead\nto identity theft, a problem that has affected nearly 10 million Americans. We will\nreview this system to ensure that the information is reliable and that access to the\ninformation is only available to authorized personnel. We have discussed this\naudit with your staff members who have expressed interest in the results.\n\nWe are also reviewing the Federal Railroad Administration\xe2\x80\x99s (FRA) network\ninfrastructure, which is critical to the missions of DOT and FRA. FRA is one of\nfive DOT component agencies that have its own direct Internet connections,\n\n\n                                         15\n\x0callowing the public to access the DOT network from the Internet. We will review\nthe network infrastructure to ensure security weaknesses do not exist that could\njeopardize the confidentiality, integrity, and availability of the data residing on\nFRA and DOT systems.\n\nIn conducting our work, we follow GAO, NIST, and OMB guidance. GAO\nestablishes Government auditing standards, which we follow in performing\ncomputer security audits. Although neither FISMA nor OMB requires that our\nFISMA report meet Government auditing standards, we prefer to do so. We\nbelieve that reports based on Government auditing standards provide users with\nmore assurance that the underlying work can be relied on for decision-making\npurposes.\n\n\n\n\n                                        16\n\x0c'